All posts tagged "voting"

Online voting is a peculiarly frustrating issue for me. Because of my professional background, I am a serious skeptic. But the idea appeals strongly to many people who have the best of motives but don't have an information technology background. (It also appeals to some technical people but I know very few and they mostly seem to be really into Bitcoin.)

Most people agree that low voter turnout is a problem, especially among young people. Online voting seems like it would be easier and more appealing, and therefore increase turnout. We've all used online systems for serious business like banking and buying goods and they seem to work fine. So why not online voting? It's a no brainer! Unfortunately, this assumes several things that are either wrong or lack evidence:

online voting can meet the same standards of anonymity and auditability and reliability as the paper system

online voting can be implemented at reasonable cost

young people will be more likely to vote if they can do it online

Note that what follows is mainly thinking about general elections. I know that in local elections, postal systems that have their own problems are already in use. In the local election context, the differences are that on one hand, they're not very important so the incentives to break the electoral system aren't so high; on the other hand, the system doesn't have the same resources behind it so it's likely to be weaker than one built for a general election. In any case, my worry is that an apparently successful trial in the local context will set a precedent for general elections where the risk profile is rather different.

Executive summary

A system that meets all the requirements for an election is technically difficult.

Thus we must contemplate the risk of expensive failure that even if it succeeded, would not achieve our goals. At worst, we will waste citizens' money while destroying their faith in the electoral process.

"Technical" objections

It's important to acknowledge that in a strict sense, there are solutions to anonymous transactions. By "strict sense", I mean that the computer science research exists and there may be demonstration code. However, there is a big, possibly unbridgeable gap between the theoretical work and a bug-free national-scale implementation.

Furthermore, there is no easy way to explain the technology to the general public. We are reduced to saying "trust the magic". This is in contrast to the paper based system which is simple and transparent. I doubt that there are more than a few dozen people in NZ who could explain public key cryptography in a more than superficial way, and none who could do so in a way that made sense to the average voter.

All software has bugs. Unfortunately, it is the nature of bugs in software that unlike faults in real-world processes, they can cause total system failure when a system is in use, while being invisible to casual inspection.

Bugs are a problem in the online voting context both because they may lead to incorrect results in their own right, and because they provide ways for motivated people to "exploit" the system, ie cause it to crash, gain unauthorised access to data, or modify system data.

Again and again, we discover serious bugs in standard software that expose the whole system (see the "Shellshock" problem from Sept 14, or the earlier Heartbleed SSL problem). These bugs were not known to the security community until they were reported, but have existed for years, and may have been exploited by criminal groups or state actors. Quinn Norton's Everything Is Broken gives good background on this kind of worry.

Subverting the paper process at a scale that makes a difference is virtually impossible in New Zealand, as it would require malfeasance from a large number of people involved in the electoral process. But a bug in an online system could expose every piece of data handled by the system at once.

Online processes, even if technically sound in the sense of having a correct implementation of anonymous transactions that can nonethless be traced if disputed, are vulnerable to disruption through attack forms like phishing (sending fraudulent emails with fake links to try and obtain people's credentials) or denial of service attacks (overloading the infrastructure with automated requests) or attacks on other layers of the solution such as the web server software

Such attacks if successful are likely to draw the election results into disrepute, even if they are ultimately successfully dealt with. This goes against the goal of increasing engagement -- if people lose faith in the electoral process, they won't vote.

Imagine 4chan deciding that disrupting a small country's election was worth doing for shits and giggles...

Public trust and integrity

Election results need to be able to be verified in case of dispute. With a paper system, any competent team of people can do a recount. With an online system that uses cryptographic techniques for verification, only a very small group of technical experts can verify. This is likely to reduce confidence in any recount process. It is precisely when a result is called into question that public trust is going to be lowest.

However, there are other scenarios than this. Many people think the only issue is manipulating the result to favour a party. However, creating an incredible result (like a 99% majority for a party) would be hugely helpful in discrediting an incumbent government or an opposition. In other words, it is not necessary to create a plausible or undetectable fraud to achieve a political goal -- this can also be done by making a obvious fraudulent change.

The online banking argument

People often bring up ecommerce and banking systems as examples of successful secure online transactions. However, online banking systems all experience fraud. Although banks have a big incentive not to report this in order to retain consumer confidence, we know that online banking fraud is common.

In any case, banks do operate with acceptable levels of fraud. In the banking scenario, the bank contractually takes on the risk, indemnifying the customer as long as the customer has taken reasonable steps to install antivirus software etc. Banks implement limits on transaction volumes and transaction amounts, capping their maximum exposure -- that's why it's ok for them to tolerate flaws in their systems. Finally, banking apps don't have to support anonymous transactions.

Online banking and ecommerce are not analogous to election systems which don't have an acceptable level of fraud, which must support anonymity, and where the system operator (the govt) bears the blame and responsibility.

"Risk" in this context means late delivery, or bugs that render the product unfit for use. Elections need to take place on a scheduled date. It would be... bad, if an election had to be re-run a week later because of project delays or system failure on the day. Yet an online voting system is almost certainly going to be a large public IT project. The track record of such projects is poor around the world and there is not reason to think that New Zealand is any different.

Coercion

In NZ's paper general election system, scrutineers and the Returning Officer can detect and prevent abusers from coercing the vote of others, because of the physical design of the voting booth. There is no way to deal with voter coercion when voting can happen in the home.

This is an objection that stands no matter how good the software implementation.

Engagement

The main motivator for proponents of online voting is that it will increase turnout. However, there is little empirical evidence for this. On the other hand, research by political scientists and the Electoral Commission suggests that an important reason why people don't vote is that they don't care or don't believe it will make a difference.

We can see from the recent Scottish independence referendum, or the lengths that African-Americans went to in Ohio to vote in Obama's first campaign, that people will vote even in difficult conditions if they are motivated. By contrast, the recent Norwegian evoting experiment yielded "no evidence that [evoting] led to a rise in the overall number of people voting nor that it mobilised new groups, such as young people."

Even granting that an online process making things easier would encourage voting, we have to remember that a vote in an online system will not be like a poll or a survey on Stuff. Voters have to obtain credentials for their vote and input them into the system. Experience in NZ with validated RealMe is that it is tiresome to obtain, which is reflected in the very low uptake. We can also see that public online systems tend to have poor usability. There is no particular reason to think that an NZ online system will in fact make the voting process easier.

NZ Working group

Has some really sound policy people, and some great business IT people, but no programmers or security experts on it, although some experts were consulted. The experts who were consulted were not named and an OIA has been declined on grounds of commercial sensitivity.

In their report, the kinds of objections I raise above were essentially punted as issues that will have to be monitored or that will be resolved in a trial. This does not inspire confidence.

It's important to consider also that local government simply does not have the high stakes that a national election does (ironically, this is reflected in voter turnout). A system that is "good enough" for local voting, in the sense of having survived real-world use, may very well not be good enough for a general election.